!!!!!!!!!!!!!!!!!!!!!!

Transcription

1 Infrastructure Security Assessment Methodology January 2014 RSPS01 Version 2.1 RandomStorm - Security Assessment Methodology - RSPS01 Version Page 1

2 Document Details Any enquires relating to this document should be addressed to the document author directly. Reference RSPS01 Version 2.1 Original Release January 2014 Last Updated January 2014 Author Gavin Watson RandomStorm - Security Assessment Methodology - RSPS01 Version Page 2

3 i Table of Contents Introduction 4 Document Purpose 4 Document Structure 4 Security Testing 5 External Testing 5 Internal Testing 5 Black Box Testing 5 White Box Testing 6 Review Testing 6 Testing Methodology 7 High Level Overview 7 Initial Scoping 8 Reconnaissance 8 Network Traffic Analysis 8 Port/Service Discovery 9 Assessment 9 Automated Vulnerability Assessment 9 Manual Confirmation / Exploitation of Infrastructure Vulnerabilities 9 Manual Confirmation / Exploitation of Web Application Vulnerabilities 10 Brute-force / Wordlist Attacks 10 Post Exploitation Techniques 10 Operating System/Service Version NVD Cross-Reference 11 Reporting 11 Presentation 11 Appendix A - About RandomStorm 12 Appendix B - Professional Services 13 Penetration Testing Team 13 Compliance Team 13 Web Application Testing Team 13 PCI ASV Team 13 Appendix C - Safe Checks 14 RandomStorm - Security Assessment Methodology - RSPS01 Version Page 3

4 i Introduction Document Purpose RandomStorm adopt a proven information security assessment methodology based on industry recognised guidelines including the NIST Special Publication and the Open Source Security Testing Methodology Manual (OSSTMM). This methodology is followed by all consultants on all infrastructure security assessments, ensuring that a thorough and accurate assessment is performed. In addition, the use of a formal methodology helps to maintain consistency among the various assessments performed by different consultants. The purpose of this document is to provide a clear and concise explanation of the various components of RandomStorm s methodology. In each section the various tools used by the consultants will be listed along with any applicable NIST SP documentation references. Document Structure This document contains the following four sections: 1. Introduction 2. Security Testing This section explains the most common techniques used to perform infrastructure security assessments. 3. Testing Methodology This section covers the various components of the methodology in the order that they are performed. The most common tools used by the RandomStorm consultants are listed under the title, Associated Tools in each section. Where applicable NIST references will be provided which can be found under the title, 4. Appendix Documents This section includes appendix documents that contain additional information that readers may find useful. RandomStorm - Security Assessment Methodology - RSPS01 Version Page 4

5 i Security Testing External Testing An external infrastructure security assessment is usually performed from the assessor s office or data centre locations and targets the client s publicly facing network services. The assessment will identify software or configuration vulnerabilities associated with the target hosts. As these services are publicly available their security is a significant concern for the client. For example, should an attacker successfully compromise a service such as an external portal, then they may be able to launch effective social engineering spear phishing attacks. Similarly, a successful compromise of the client s external VPN service could result in full remote access to the internal network. External testing often involves a greater emphasis on publicly available information and how it could be leveraged against the target business. RandomStorm s consultants will gather key pieces of information such as (but not limited to) addresses, website unique words, associated social media information and document meta data author names. This information will be examined and used to perform a realistic simulation of an external attack. Typically, the external assessment is performed by a separate team and information is not shared with those performing the internal assessment. Internal Testing An internal security assessment is performed onsite at the client s location and the consultant will be directly connected to the corporate network. This assessment will identify software and configuration vulnerabilities associated with the servers, workstations and infrastructure devices that make up the client s internal network. As the consultant is directly connected to the network, the assessment is simulating an attacker having successfully gained access externally or attacks from internal threats such as disgruntled employees. Internal tests often yield significantly more results than external tests as a far greater number of hosts are within scope. Additionally, the live services hosted by internal servers are generally less restricted than those within an externally facing DMZ. Where external assessments focus of leveraging publicly available information against a handful of services, internal assessments focus on identifying the most significant vulnerabilities from a typically large scope. Black Box Testing During Black Box testing, the client will not provide any detailed information about the target systems beyond their IP addresses. This type of assessment is the most realistic simulation of a real world attack. As no information is provided, the initial reconnaissance stages take a greater precedence, establishing a foundation for the remainder of the test. Clients can request that an external assessment be performed without providing any target IP addresses. The consultants will be expected to perform passive online reconnaissance to identify any targets associated with the client. These targets will then be presented to the client who will then confirm which are to be fully tested. RandomStorm - Security Assessment Methodology - RSPS01 Version Page 5

6 White Box Testing During White Box testing, the client will provide RandomStorm with detailed information about the target systems. With a greater insight into the systems the consultant would be able to identify more vulnerabilities than in Black Box testing. Therefore, White Box testing can be considered more thorough but at the expense of a realistic test. Generally, a client will perform Black Box testing to identify the low hanging fruit, then perform White Box testing to identify the more subtle or theoretical security issues. Review Testing The information security assessment may include non-intrusive / passive testing techniques designed to gather information that may reveal additional security weakness. As these tests are passive they should not pose a significant threat to the network or services. Typically, these tests would include reviews of logs, system configurations, firewall rulesets and business documentation such as relevant procedures and policies. Documentation Review - NIST SP Log Review - NIST SP Ruleset Review - NIST SP System Configuration Review - NIST SP Network Sniffing - NIST SP File Integrity Checking - NIST SP RandomStorm - Security Assessment Methodology - RSPS01 Version Page 6

7 i Testing Methodology High Level Overview 1. IN ITI AL Testing Methodology 2. RECO NN A ISS A E NC EPORTING R. 4 ON TATI N E ES R P ING OP SC 5. RandomStorm s infrastructure security assessments follow a 5 step methodology as show in the diagram below. 3. ASSESSMEN T RandomStorm believe that these five steps are crucial in performing a thorough and accurate assessment, providing value for the client and ultimately improving the security of the target network. This methodology is cyclical in that the results of the assessment presented to the client, and provided as a report, feed back into the scope of additional tests. As security is a process rather than a solution, this methodology is designed to work along side the ongoing process. The 5 steps are broad categories and can generally be applied to multiple types of infrastructure assessment, regardless of whether it is internal, external or some other combination. RandomStorm - Security Assessment Methodology - RSPS01 Version Page 7

8 Initial Scoping The consultants work closely with the client to agree on a scope that meets the client s specific security requirements. This will typically involve meetings and / or conference calls to discuss the assessment drivers, the various technologies involved, the results of previous assessments, details of unstable hosts, location of critical business systems, assessment caveats, location of sensitive information and any other relevant details that could affect the test. Confirming a scope with the client at this stage is critical as any testing outside of the defined scope could breach the Computer Misuse Act 1990 as well as other information security relevant legislations. Prioritising and Scheduling Assessments - NIST SP Selecting and Customising Techniques - NIST SP Assessment Logistics - NIST SP Assessment Plan Development - NIST SP Legal Considerations - NIST SP Reconnaissance The consultants will attempt to gather as much information as possible about the target company and target hosts. For an external assessment this information may include DNS records, addresses, usernames, employee names, employee hierarchy, social media posts and website document metadata. The gathered information will be used to aid in attacks against remote administration services, web application login portals and any other attack vectors identified. When directly connected to a corporate network, reconnaissance may involve passively collecting network information for use in the assessment. 1. Network Traffic Analysis The visible network traffic is collected and analysed using packet capture tools. The aim of this test is to identify issues such as clear text credentials and unauthenticated routing information. Traffic analysis can also be used to partially map out network resources and identify security issues with traffic flow. Associated Tools Wireshark, dsniff, tpcdump, Cain & Abel The reconnaissance stage also focuses on active target identification which involves identifying live services, their version and information about the hosting device. This information lays the foundation for the vulnerability assessment, and the majority of this information is used to identify software associated vulnerabilities. RandomStorm - Security Assessment Methodology - RSPS01 Version Page 8

9 2. Port/Service Discovery One of the initial stages of any internal assessment is to identify live ports/services on the target hosts through automated port scanning. The remote operating system is fingerprinted and the service versions are identified. Associated Tools Nmap, Unicorn Scan, xprobe, SinFP and netcat Network Discovery - NIST SP Network Port and Service Identification - NIST SP Wireless Scanning - NIST SP Assessment After completion of the reconnaissance stage the gathered information is used as a basis for the vulnerability assessment, which provides security information to then conduct the full manual penetration test. The objective is to identify all possible vulnerabilities that could potentially lead to a compromise, and to provide a worst case scenario. Coordination - NIST SP Assessing - NIST SP Analysis - NIST SP Data Handling - NIST SP Automated Vulnerability Assessment The results of the initial vulnerability scans provide the foundations for the entire assessment. The automated tools will probe each live service and identify known vulnerabilities based on the results of version banner checks and vulnerability specific plugins. This is the most network intensive part of the assessment as multiple checks will be conducted simultaneously on multiple hosts. Associated Tools Nessus, OpenVas, Saint, Nexpose Vulnerability Scanning - NIST SP Manual Confirmation / Exploitation of Infrastructure Vulnerabilities The consultant will manually confirm the high level CVSS Score 7-10 vulnerabilities identified. This may involve using techniques such as (but not limited to) exploitation code, malformed queries and password attacks, depending on the vulnerability identified. The manual confirmation of vulnerabilities reduces the chances of false positives being RandomStorm - Security Assessment Methodology - RSPS01 Version Page 9

10 reported on. In addition, the compromise of target hosts provides a platform on which to identify additional issues (post-exploitation). Associated Tools Metasploit and Core Impact 3. Manual Confirmation / Exploitation of Web Application Vulnerabilities The automated scanning results will return low level Web application issues, considered the lowest hanging fruit. Therefore, a Web application specific assessment is performed to identify more complex vulnerabilities. As the consultant elevates their privileges and compromises additional services they will attempt to access more areas of the scope to achieve their main objective. Therefore, this stage of the assessment will also examine vulnerabilities associated with areas such as network segmentation and firewall restrictions. The consultant will attempt to identify security weaknesses in the infrastructure that may allow them to access restricted areas such as a cardholder data environment (CDE) in assessments driven by PCI DSS compliance. Associated Tools Burp Suite Professional, WebStorm, SQLMap, Nikto, WPScan, DNSRecon, DirBuster, theharvester, w3af, SSLScan and Nmap Penetration Testing - NIST SP Brute-force / Wordlist Attacks Any service that supports authentication will be assessed with either brute-force or wordlist attacks to identify weak passwords and other security issues. The most common services assessed are Telnet, SSH, FTP, SMB, LDAP, MSSQL and RDP. Associated Tools Hydra, Medusa, Burp and Metasploit Modules Password Cracking - NIST SP Post Exploitation Techniques Once targets have been compromised it is then possible to identify additional vulnerabilities. These will often include local administrator password reuse, the use of weak hashing methods such as LM, cached credentials and weak domain admin passwords. Associated Tools Tools used: Metasploit, Incognito, Mimikatz and fgdump RandomStorm - Security Assessment Methodology - RSPS01 Version Page 10

11 6. Operating System/Service Version NVD Cross-Reference The operating system and service versions found will be cross-referenced with the National Vulnerability Database to identify issues that the automated scanners may have missed. Any new vulnerabilities are confirmed when onsite to reduce the possibility of false positives. Reporting Once all of the assessment data has been collected, the next phase is to analyse this data and create the report documents. The main report will contain a management summary, list of prioritised security issues, and remediation advice. An appendix is also supplied containing all the security information gathered during the assessment. Mitigation Recommendations - NIST SP Reporting - NIST SP Remediation/Mitigation - NIST SP Presentation Once the full assessment report is created, it is uploaded to the secure document area of the RandomStorm Secure Customer Portal. At the customer s request any findings can be presented onsite by the consultants in the form of a presentation to the management and / or employees. RandomStorm - Security Assessment Methodology - RSPS01 Version Page 11

12 i Appendix A - About RandomStorm RandomStorm InfoSec & Compliance Specialists have years of experience helping a broad range of organisations address their IT and business security and related compliance issues. Our people typically hold CISSP, CEH, CCIE and CHECK qualifications and are members of the Institute of information security professionals. We offer bespoke services aimed at taking the pain out of managing security risks and meeting industry regulation; we specialise in implementing InfoSec improvement and compliance strategies; developing secure IT and business processes; and architecting secure IT infrastructure. RandomStorm s specialists have extensive experience of guiding companies of all sizes through the maze of compliance in areas such as FSA, ISO 27001, Sarbanes Oxley and PCI DSS compliance. RandomStorm are a CHECK Green Light company and employ a UK Security Cleared team of Penetration Testers that include CHECK Team Leaders and CHECK Team Members. RandomStorm are a PCI Approved Scanning Vendor and a PCI Qualified Security Assessor. RandomStorm - Security Assessment Methodology - RSPS01 Version Page 12

13 i Appendix B - Professional Services The following is a list of the professional services currently offered by the RandomStorm team. Penetration Testing Team Internal CHECK Security Assessment Internal PCI Security Assessment External Security Assessment Social Engineering Firewall Rule Review Server Build Review WiFi Security Assessment War Dialing Assessment VPN Security Assessment Citrix Security Assessment Training and Education VoIP Security Assessment Active Directory Security Review Compliance Team PCI DSS Gap Analysis PCI DSS Consultancy PCI DSS Assessments ISO/27001 Gap Analysis ISO/27001 Consultancy Physical Security Assessment Incident Response Polices and Procedures Creation Training and Education Web Application Testing Team Web Application Assessments Training and Education Code Review PCI ASV Team External PCI ASV Assessments RandomStorm - Security Assessment Methodology - RSPS01 Version Page 13

14 i Appendix C - Safe Checks All high level (exploitable) vulnerabilities will be securely reported to the client and onsite contact immediately on discovery The laptop used by the engineer will be fully screened for any malicious software that could pose a threat to the target network The automated scanners will have safe checks enabled, all Denial-Of-Service (DoS) checks disabled, and be throttled back (in terms of hosts checked simultaneously and the maximum amount of TCP connections) to reduce the chances of network disruption The assessment will not include the exploitation of vulnerabilities (such as through bufferoverflows) unless the client specifically requests it Wordlist and brute-force attacks will not be performed unless the target service has been confirmed through examination (and by the client) to have no lock-out threshold configured, or similar configuration that could result in network or service disruption Key services such as Microsoft Active Directory and Microsoft SQL databases will not be accessed using compromised accounts without confirmation from the client RandomStorm - Security Assessment Methodology - RSPS01 Version Page 14